Fighting DDOS attacks with pf

[J David]

Hello,

We experience frequent DDOS attacks, and we're having a tough time
mitigating them with pf.  We have plenty of bandwidth and processing
power, we just can't seem to get the rules right.

If, for example, I have a single IP address on the outside attacking a
range of IPs on the inside, it is very easy to write a max-src-states
rule that will count the states for that IP and flush the attacker to
a "drop quick" table if they exceed the limit.

However, the nature of a DDOS attack is that there is not a single
source IP.  The source IP is either outright forged or one of a large
number of compromised attacking hosts.  So what I really want to do is
have a "max-dst-states" rule that would at least temporarily blackhole
an IP being attacked, but there's no such thing.

Currently we have to run a script once per minute that parses "pfctl
-s info" looking for large numbers of states to a common destination.
But as we have our states set to 1000000, this is really inefficient
and of course takes at least a minute to catch up to an attack.

Is there a better way to do this?

This is on FreeBSD 9.1-PRERELEASE #0 r238540.

Thanks for any help!